Researchers from the University of Missouri-Kansas City's ASSET Research Group have demonstrated a novel supply chain attack technique named Ghostcommit. This proof-of-concept attack hides malicious prompts within image files (e.g., PNGs) to bypass AI-powered code review tools. When an unsuspecting developer later uses an AI coding agent, the agent is tricked into executing the hidden instructions, leading it to read sensitive files like .env and exfiltrate the contents. This method exploits the current inability of many AI security tools to analyze non-text files, posing a new and subtle threat to software supply chain security.
The Ghostcommit attack targets the modern, AI-assisted software development lifecycle. The core of the attack is a two-part payload committed to a source code repository:
AGENTS.md) containing seemingly benign instructions for an AI agent, telling it to process a specific image file.When a pull request containing these files is submitted, human reviewers and text-based AI code review tools (like CodeRabbit) see no malicious code and approve the merge. The trap is set. Later, when a developer uses an AI coding agent (like Cursor) for a task, the agent parses the AGENTS.md file, is directed to the PNG, and uses its multimodal capabilities to read the text from the image. It then executes the malicious prompt, which instructs it to access and exfiltrate secrets.
The attack leverages several key concepts:
T1598.003 - Spearphishing via Service..env file) are read byte-by-byte and encoded as a tuple of integers. This innocuous-looking data is then inserted into a source code file by the AI agent. This numeric format is designed to evade traditional secret scanners that look for string patterns like API_KEY=.... This is a sub-technique of T1567 - Exfiltration Over Web Service.T1195.002 - Compromise Software Supply Chain.Researchers found that agents like Cursor and Antigravity were vulnerable, while Claude Code consistently refused the malicious instructions. A prototype multimodal review tool built by the researchers using Google's Gemma 4 model was able to detect the attack.
While demonstrated as a proof-of-concept, the Ghostcommit attack has serious implications. If successfully deployed, it could lead to the silent exfiltration of an organization's most sensitive secrets, including database credentials, cloud API keys, and private signing keys. Since the exfiltration is performed by a legitimate AI tool and the data is obfuscated as integers, the breach could go undetected for a long time. This undermines the trust in AI-assisted development tools and highlights the need for security solutions to evolve to handle multimodal threats.
As this is a proof-of-concept, there are no real-world IOCs.
The following patterns could help identify related activity:
AGENTS.md.env.env files by unusual processes, including AI assistant plugins or processes.tuple_of_integers = ( ... )"Add AI agent instructions".env files or other sensitive configuration files should be a high-severity alert. This relates to D3FEND's D3-RAPA - Resource Access Pattern Analysis.M1048 - Application Isolation and Sandboxing.M1017 - User Training.Running AI agents in a sandboxed environment with strict file access controls can prevent them from reading sensitive files like .env.
Educating developers on the risks of prompt injection and how to spot suspicious commits is a critical layer of defense.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.